“W32.Bugbear@mm or  I-Worm.Tanatos”
October 3, 2002

The National Infrastructure Protection Center (NIPC) is issuing this
advisory to heighten the awareness of an e-mail-borne worm known as
W32.Bugbear or I-Worm.Tanatos.  This network-aware worm, which is being
circulated as an e-mail attachment, appears to target machines running
Microsoft software.  The worm is attached to e-mails with a wide variety
of subject lines such as "bad news," "Membership Confirmation," "Market
Update Report," and "Your Gift," and appears to use randomly generated
names to avoid detection by anti-virus software, as well as multiple
file extensions to disguise the fact that it is an executable file.
W32/Bugbear-A tries to copy itself to all types of shared network
resources.  The anti-virus industry has reported that this worm has
infected over 22,000 systems in the past 24 hours and is continuing to
grow.   Due to its keystroke logging and backdoor capabilities, the worm
is capable of intercepting victim’s Internet activity, for example,
credit-card information, banking information, usernames and passwords. 
The NIPC is urging all infected owners to change logins and passwords
after the infection has been reported and removed.   System
administrators should be aware that attackers could exploit these
vulnerabilities to gain remote access which could enable the attacker to
take any action desired, such as installing malicious code; running
programs; and, reconfiguring, adding, changing, or deleting files.  


The Bugbear worm arrives in victims' in-boxes in the form of a random
e-mail. The only constant signature of the worm has been the size of the
attachment, which to date has been 50,688 bytes.  The virus installs a
Trojan horse component called “PWS-Hooker” on infected machines.  The
Trojan program searches for and tries to disable a number of common
Windows processes, and popular anti-virus and firewall software.  The
actual infected file arrives as an attachment. The subject line, name of
the attachment, and text in the body of the message can vary; the
attachment name typically has a double extension, such as “.doc.pif.”  
The worm may also attempt to determine the presence of an Apache 1.3.26
web server and relay this information to an external email address; it
continuously looks for and terminates processes by listening to port
36794/tcp and port 137/udp.  When a remote system is restarted, the
worm's file gets control and infects a system. 

The worm exploits the MIME and IFRAME vulnerability in versions of
Microsoft Internet Explorer 5.01 and 5.5.  However, users running
Internet Explorer 5.01 service pack 2 are not affected by this
vulnerability. These vulnerabilities may allow an executable attachment
to run automatically, even if the user does not double-click on the
attachment.  An option in Microsoft Internet Explorer executive preview
pane allows users to view e-mail without clicking on the email.  Users
can delete the e-mail before viewing in the preview pane by turning the
option off until appropriate patches have been applied.

Microsoft has issued a patch to secure against these attacks. The patch
can be downloaded from Microsoft Security Bulletin MS01-027:
(This patch was released to fix a number of vulnerabilities in
Microsoft's software, including the ones exploited by this worm.)

Several anti-virus software vendors have updated their signature files
to recognize this worm in an attempt to stop the infection upon
contact.  In some cases, anti-virus software will remove an active
infection from your system. Additional information obtained at:
Central Command





The NIPC strongly urges the community to consider applying patches from
Microsoft to secure against these attacks.   All versions of Windows are
vulnerable to this worm's ability to arrive via open file sharing. Users
of Macintosh, Linux, and Unix are not at risk.  Users of Internet
 Explorer 6 should be safe from the e-mail portion of this worm. 

The NIPC encourages recipients of this advisory to report computer
intrusions to their local FBI office
(http://www.fbi.gov/contact/fo/fo.htm) and other appropriate
authorities.  Recipients may report incidents online to
http://www.nipc.gov/incident/cirr.htm.  The NIPC Watch and Warning Unit
can be reached at (202) 323-3204/3205/3206 or [EMAIL PROTECTED]

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to